Sometimes it takes a very public breach for the shockwaves to force an industry to tighten up security. I welcome the news that the Certificate Authority (CA) industry body that initially specified the standard for Extended Validation (EV) certificates has now published requirements (or standards of due care), for the issuance of publically trusted certificates. Certificate authorities that have signed up to the new requirements have 6 months to comply.
Continue reading "Safer digital identities in 2012?" »
It's good news that Google have announced their continued expansion of the use of SSL which means that certain Google searches (and the results) will be encrypted. There's already been pressure to turn on encryption at corporate and domestic WiFi hotspots to prevent theft of passwords and other information by sniffers on the local hotspot but it must be remembered that this still only protects communication between the user's computer or phone and WiFi access point. Traffic flowing on the wired network across the various hops and interconnection points that make up the internet to get to websites such as Google is typically unencrypted. The solution is for web site operators to deploy technologies like SSL to provide end to end encryption from the consumer all the way back to their site. It's good to see that https (aka SSL), is now gradually replacing http, even for free services like Google search.
Continue reading "SSL- moving forward" »
Since the European Commission outlined its overhaul of EU data protection laws in June (see earlier post here), debate has continued about the scope and impact of the reforms, especially in reference to cloud computing.
The draft document is not due out until November but there has been considerable speculation on the details of the Directive, particularly over whether it will shift liability to the cloud provider in the event of a data breach.
Continue reading "EU data protection reform – how will it affect the cloud?" »
Following the catastrophic security failures at both DigiNotar and Comodo that led to a single attacker obtaining numerous falsified SSL certificates and the subsequent large scale misdirection of traffic in Iran, 2011 looks set to be a defining year that may change the landscape in the PKI world for years to come.
While vendors, consultants and regulators have advocated the benefits of PKI and define security practices and standards to ensure the integrity of the infrastructure upon which all e-commerce depends, attacks have typically been theoretical. Now there’s undeniable evidence that the threat is real. And while the recent attacks have (eventually) become public knowledge I cannot help but wonder how many other breaches remain undiscovered or unannounced.
Continue reading "Can certificate authorities be trusted?" »
Data breaches have certainly dominated the headlines during the past few months. The dust hadn’t settled around Stuxnet when the Sony and RSA incidents occurred. We have also seen less complex mobile phone “hacking” that has closed a national newspaper and dominated a government’s agenda. Now, recent reports have shown an increase on smartphone attacks with increased app, Android and iPhone incidents as hackers attempt to ascertain the treasure trove of personal information users are now keeping on their mobile phones. Is this the next fraud frontier?
Continue reading "Smartphones: The Next Hacker Heaven?" »
A researcher has revealed this week how easy it can be to find the private keys that are supposedly securing organisations’ sensitive data. No clever hacks or tricks of the trade are necessary, just a simple Google search.
After he claimed that a web search on ‘BEGIN PGP PRIVATE KEY BLOCK’ gave 29,500 hits, I decided to test this out myself (with a few tweaks) and the number of keys out there is indeed staggering. It’s not clear how many of them are real or provide access to valuable information, but presumably some proportion of them do. And that’s worrying.
Continue reading "Warning: are your keys exposed in public Google searches? " »
Code signing is one concept not earning enough attention amid all the coverage of advanced persistent threats (APTs). A main reason APTs are an issue is because attackers can easily change application code or device firmware (that’s what makes them "advanced") without being noticed (that’s what makes them "persistent") and the threats are significant and don't necessarily involve just corporate data theft (think about malware on critical infrastructure, such as a flight computer in a plane, smart grids, or even traffic lights). Since the code runs on open platforms, the best line of defense is to make sure the software has not been modified by testing its authenticity.
Continue reading "Preventing Advanced Persistent Threats: Keep the Code Authentic" »
As the final in a series of posts on key management in the Cloud, following are the remaining three possible strategies that organisations could look to adopt when thinking about how to secure their information in the Cloud.
The Just In Time Strategy is where keys and sensitive materials are stored on premise, only being released into the Cloud for a short time when needed. Quite a few companies are starting to offer such solutions with a large on-premise management system and a small software plugin for the Cloud applications which can fetch and use keys when needed. This is a promising model but it’s early days: watch out for highly proprietary systems, vendor lock-in and the need to modify applications directly to take advantage of the solution. And remember - the keys have still been exposed to the Cloud, no matter how briefly.
Continue reading "Key Management Strategies in the Cloud Part 4: Treat your cryptographic keys as more than just data" »
Having outlined yesterday the need to take an information-centric approach to key management in the cloud, today I would like to share the first half of a series of six strategies that could help organisations take this approach.
The first strategy I would like to outline is the Trust Everyone Strategy, where existing applications, keys and management tasks are fork-lifted from the datacentre into the service provider. No special steps are taken to address the control challenges introduced by the Cloud. However, as we all know, no matter what else you outsource you can’t outsource your responsibility, so this strategy is not really an option. I’m all for SLAs bridging the gap between business desires and technical reality but wholesale handover of sensitive operations is probably a bridge too far.
Continue reading "Key Management Strategies in the Cloud Part 3: Trust Everyone, Trust No-one or Trust Someone" »
As outlined in my last post, crypto and key management clearly have a lot to offer in terms of the Cloud, but in a bid to get ahead sometimes important details get overlooked. To ensure that cryptography and key management are deployed to best use in the Cloud, we need to take a step back and remember why these solutions exist and why we use them the way we already do. What drove people to choose one approach over another? Why have best practices and standards of due care developed in the way they have? In key management, as in all matters of security we need to return to the why before we can decide on the what and the how.
Continue reading "Key Management Strategies in the Cloud Part 2: How might we better think about key management in the Cloud?" »
